Merge branch 'refs/heads/main' into refactor/permissions-manager

# Conflicts: # management/internals/modules/reverseproxy/service/manager/api.go # management/server/http/handler.go
2026-04-23 02:36:42 +00:00 · 2026-03-06 11:37:53 +01:00
parent 32730af33f 85451ab4cd
commit b0ce0048b4
134 changed files with 13391 additions and 3786 deletions
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -17,9 +17,9 @@ import (

 	"github.com/netbirdio/netbird/management/server/types"

-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service/manager"

 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	idpmanager "github.com/netbirdio/netbird/management/server/idp"
@@ -73,7 +73,7 @@ const (
 )

 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {

 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -173,8 +173,8 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	idp.AddEndpoints(accountManager, router, permissionsManager)
 	instance.AddEndpoints(instanceManager, router)
 	instance.AddVersionEndpoint(instanceManager, router, permissionsManager)
-	if reverseProxyManager != nil && reverseProxyDomainManager != nil {
-		reverseproxymanager.RegisterEndpoints(reverseProxyManager, *reverseProxyDomainManager, reverseProxyAccessLogsManager, permissionsManager, router)
+	if serviceManager != nil && reverseProxyDomainManager != nil {
+		reverseproxymanager.RegisterEndpoints(serviceManager, *reverseProxyDomainManager, reverseProxyAccessLogsManager, permissionsManager, router)
 	}

 	// Register OAuth callback handler for proxy authentication
--- a/management/server/http/handlers/accounts/accounts_handler.go
+++ b/management/server/http/handlers/accounts/accounts_handler.go
@@ -163,6 +163,10 @@ func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request, userAut
 }

 func (h *handler) updateAccountRequestSettings(req api.PutApiAccountsAccountIdJSONRequestBody) (*types.Settings, error) {
+	if req.Settings.PeerExposeEnabled && len(req.Settings.PeerExposeGroups) == 0 {
+		return nil, status.Errorf(status.InvalidArgument, "peer expose requires at least one group")
+	}
+
 	returnSettings := &types.Settings{
 		PeerLoginExpirationEnabled: req.Settings.PeerLoginExpirationEnabled,
 		PeerLoginExpiration:        time.Duration(float64(time.Second.Nanoseconds()) * float64(req.Settings.PeerLoginExpiration)),
@@ -170,6 +174,9 @@ func (h *handler) updateAccountRequestSettings(req api.PutApiAccountsAccountIdJS

 		PeerInactivityExpirationEnabled: req.Settings.PeerInactivityExpirationEnabled,
 		PeerInactivityExpiration:        time.Duration(float64(time.Second.Nanoseconds()) * float64(req.Settings.PeerInactivityExpiration)),
+
+		PeerExposeEnabled: req.Settings.PeerExposeEnabled,
+		PeerExposeGroups:  req.Settings.PeerExposeGroups,
 	}

 	if req.Settings.Extra != nil {
@@ -317,6 +324,8 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		JwtAllowGroups:                  &jwtAllowGroups,
 		RegularUsersViewBlocked:         settings.RegularUsersViewBlocked,
 		RoutingPeerDnsResolutionEnabled: &settings.RoutingPeerDNSResolutionEnabled,
+		PeerExposeEnabled:               settings.PeerExposeEnabled,
+		PeerExposeGroups:                settings.PeerExposeGroups,
 		LazyConnectionEnabled:           &settings.LazyConnectionEnabled,
 		DnsDomain:                       &settings.DNSDomain,
 		AutoUpdateVersion:               &settings.AutoUpdateVersion,
--- a/management/server/http/handlers/proxy/auth_callback_integration_test.go
+++ b/management/server/http/handlers/proxy/auth_callback_integration_test.go
@@ -18,8 +18,8 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/require"

-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -190,7 +190,8 @@ func setupAuthCallbackTest(t *testing.T) *testSetup {

 	oidcServer := newFakeOIDCServer()

-	tokenStore := nbgrpc.NewOneTimeTokenStore(time.Minute)
+	tokenStore, err := nbgrpc.NewOneTimeTokenStore(ctx, time.Minute, 10*time.Minute, 100)
+	require.NoError(t, err)

 	usersManager := users.NewManager(testStore)

@@ -208,9 +209,10 @@ func setupAuthCallbackTest(t *testing.T) *testSetup {
 		oidcConfig,
 		nil,
 		usersManager,
+		nil,
 	)

-	proxyService.SetProxyManager(&testServiceManager{store: testStore})
+	proxyService.SetServiceManager(&testServiceManager{store: testStore})

 	handler := NewAuthCallbackHandler(proxyService, nil)

@@ -239,12 +241,12 @@ func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store
 	pubKey := base64.StdEncoding.EncodeToString(pub)
 	privKey := base64.StdEncoding.EncodeToString(priv)

-	testProxy := &reverseproxy.Service{
+	testProxy := &service.Service{
 		ID:        "testProxyId",
 		AccountID: "testAccountId",
 		Name:      "Test Proxy",
 		Domain:    "test-proxy.example.com",
-		Targets: []*reverseproxy.Target{{
+		Targets: []*service.Target{{
 			Path:       strPtr("/"),
 			Host:       "localhost",
 			Port:       8080,
@@ -254,8 +256,8 @@ func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store
 			Enabled:    true,
 		}},
 		Enabled: true,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
+		Auth: service.AuthConfig{
+			BearerAuth: &service.BearerAuthConfig{
 				Enabled:            true,
 				DistributionGroups: []string{"allowedGroupId"},
 			},
@@ -265,12 +267,12 @@ func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store
 	}
 	require.NoError(t, testStore.CreateService(ctx, testProxy))

-	restrictedProxy := &reverseproxy.Service{
+	restrictedProxy := &service.Service{
 		ID:        "restrictedProxyId",
 		AccountID: "testAccountId",
 		Name:      "Restricted Proxy",
 		Domain:    "restricted-proxy.example.com",
-		Targets: []*reverseproxy.Target{{
+		Targets: []*service.Target{{
 			Path:       strPtr("/"),
 			Host:       "localhost",
 			Port:       8080,
@@ -280,8 +282,8 @@ func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store
 			Enabled:    true,
 		}},
 		Enabled: true,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
+		Auth: service.AuthConfig{
+			BearerAuth: &service.BearerAuthConfig{
 				Enabled:            true,
 				DistributionGroups: []string{"restrictedGroupId"},
 			},
@@ -291,12 +293,12 @@ func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store
 	}
 	require.NoError(t, testStore.CreateService(ctx, restrictedProxy))

-	noAuthProxy := &reverseproxy.Service{
+	noAuthProxy := &service.Service{
 		ID:        "noAuthProxyId",
 		AccountID: "testAccountId",
 		Name:      "No Auth Proxy",
 		Domain:    "no-auth-proxy.example.com",
-		Targets: []*reverseproxy.Target{{
+		Targets: []*service.Target{{
 			Path:       strPtr("/"),
 			Host:       "localhost",
 			Port:       8080,
@@ -306,8 +308,8 @@ func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store
 			Enabled:    true,
 		}},
 		Enabled: true,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
+		Auth: service.AuthConfig{
+			BearerAuth: &service.BearerAuthConfig{
 				Enabled: false,
 			},
 		},
@@ -361,19 +363,19 @@ func (m *testServiceManager) DeleteAllServices(ctx context.Context, accountID, u
 	return nil
 }

-func (m *testServiceManager) GetAllServices(_ context.Context, _, _ string) ([]*reverseproxy.Service, error) {
+func (m *testServiceManager) GetAllServices(_ context.Context, _, _ string) ([]*service.Service, error) {
 	return nil, nil
 }

-func (m *testServiceManager) GetService(_ context.Context, _, _, _ string) (*reverseproxy.Service, error) {
+func (m *testServiceManager) GetService(_ context.Context, _, _, _ string) (*service.Service, error) {
 	return nil, nil
 }

-func (m *testServiceManager) CreateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
+func (m *testServiceManager) CreateService(_ context.Context, _, _ string, _ *service.Service) (*service.Service, error) {
 	return nil, nil
 }

-func (m *testServiceManager) UpdateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
+func (m *testServiceManager) UpdateService(_ context.Context, _, _ string, _ *service.Service) (*service.Service, error) {
 	return nil, nil
 }

@@ -385,7 +387,7 @@ func (m *testServiceManager) SetCertificateIssuedAt(_ context.Context, _, _ stri
 	return nil
 }

-func (m *testServiceManager) SetStatus(_ context.Context, _, _ string, _ reverseproxy.ProxyStatus) error {
+func (m *testServiceManager) SetStatus(_ context.Context, _, _ string, _ service.Status) error {
 	return nil
 }

@@ -397,15 +399,15 @@ func (m *testServiceManager) ReloadService(_ context.Context, _, _ string) error
 	return nil
 }

-func (m *testServiceManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
+func (m *testServiceManager) GetGlobalServices(ctx context.Context) ([]*service.Service, error) {
 	return m.store.GetServices(ctx, store.LockingStrengthNone)
 }

-func (m *testServiceManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.Service, error) {
+func (m *testServiceManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*service.Service, error) {
 	return m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, proxyID)
 }

-func (m *testServiceManager) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
+func (m *testServiceManager) GetAccountServices(ctx context.Context, accountID string) ([]*service.Service, error) {
 	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
 }

@@ -413,6 +415,20 @@ func (m *testServiceManager) GetServiceIDByTargetID(_ context.Context, _, _ stri
 	return "", nil
 }

+func (m *testServiceManager) CreateServiceFromPeer(_ context.Context, _, _ string, _ *service.ExposeServiceRequest) (*service.ExposeServiceResponse, error) {
+	return nil, nil
+}
+
+func (m *testServiceManager) RenewServiceFromPeer(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
+func (m *testServiceManager) StopServiceFromPeer(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
+func (m *testServiceManager) StartExposeReaper(_ context.Context) {}
+
 func createTestState(t *testing.T, ps *nbgrpc.ProxyServiceServer, redirectURL string) string {
 	t.Helper()

--- a/management/server/http/testing/testing_tools/channel/channel.go
+++ b/management/server/http/testing/testing_tools/channel/channel.go
@@ -9,10 +9,13 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"

+	"go.opentelemetry.io/otel/metric/noop"
+
 	"github.com/netbirdio/management-integrations/integrations"
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
-	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+	proxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy/manager"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"

 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -91,12 +94,24 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	}

 	accessLogsManager := accesslogsmanager.NewManager(store, permissionsManager, nil)
-	proxyTokenStore := nbgrpc.NewOneTimeTokenStore(1 * time.Minute)
-	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager)
-	domainManager := manager.NewManager(store, proxyServiceServer, permissionsManager)
-	reverseProxyManager := reverseproxymanager.NewManager(store, am, permissionsManager, proxyServiceServer, domainManager)
-	proxyServiceServer.SetProxyManager(reverseProxyManager)
-	am.SetServiceManager(reverseProxyManager)
+	proxyTokenStore, err := nbgrpc.NewOneTimeTokenStore(ctx, 5*time.Minute, 10*time.Minute, 100)
+	if err != nil {
+		t.Fatalf("Failed to create proxy token store: %v", err)
+	}
+	noopMeter := noop.NewMeterProvider().Meter("")
+	proxyMgr, err := proxymanager.NewManager(store, noopMeter)
+	if err != nil {
+		t.Fatalf("Failed to create proxy manager: %v", err)
+	}
+	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager, proxyMgr)
+	domainManager := manager.NewManager(store, proxyMgr, permissionsManager)
+	serviceProxyController, err := proxymanager.NewGRPCController(proxyServiceServer, noopMeter)
+	if err != nil {
+		t.Fatalf("Failed to create proxy controller: %v", err)
+	}
+	serviceManager := reverseproxymanager.NewManager(store, am, permissionsManager, serviceProxyController, domainManager)
+	proxyServiceServer.SetServiceManager(serviceManager)
+	am.SetServiceManager(serviceManager)

 	// @note this is required so that PAT's validate from store, but JWT's are mocked
 	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
@@ -114,7 +129,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, reverseProxyManager, nil, nil, nil, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}